How secure your Mobile Payments apps?

According to the Centre for Software and IT Management at the Indian Institute of Management – Bangalore, which conducted the study also claimed the risk is high in all systems except one.

The study conducted on mobile wallets such as Paytm and Freecharge, apps linking to bank accounts such as BHIM (Bharat Interface for Money) and PhonePe, bank apps for account holders, and USSD (Unstructured Supplementary Service Data), a protocol used by GSM phones to communicate with computers. Assumed that USSD is the least vulnerable.

The researchers led by Prof Rahul De evaluated the systems using risk management principles enunciated by the Basel Committee on Banking Supervision and the RBI. Security risks are highest when a user misplaces a phone, allowing access to records of previous transactions, the study concluded. Paytm enjoying access to one-time passwords sent by banks is a potential risk, the study warned.

Observing that Paytm and Freecharge do not log the user out automatically, the study said this leaves room for unauthorised usage. The wallets allow third-party vendors like Uber and Big Basket to deduct money from an account without explicitly seeking the user’s consent, the study said.

The government-launched app BHIM takes up to two minutes to confirm a successful transaction. For a failed transaction, it takes up to 10 hours to notify the user, according to the findings.

“However, even while we were conducting the study, we observed that the features of the apps and services were constantly evolving and changing,” Prof said in a statement. The evaluation was based on a study conducted between December 16 and January 17. “It is likely some of the concerns presented in this report have been addressed, and perhaps new concerns have emerged,” he said.

Deepak Abbot, senior vice president, Paytm, responded to the study, saying, “We do not store any confidential data, including SMSes sent by banks, from the user’s device.”

He advised users to activate the app lock feature and cited enhanced user experience to defend the absence of automatic locking. Paytm allows transactions without OTP only in the case of two companies, Zomato and Uber, and they are “responsible companies”, he said.